Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Risk Response Planning, and lays the foundation for Quantitative Risk Analysis, if this is required. Qualitative Risk Analysis should be revisited during the project’s life cycle to stay current with changes in the project risks. Qualitative Risk Analysis requires outputs of the Risk Management Planning Section 11.1 and Risk Identification Section 11.2 processes. This process can lead into Quantitative Risk Analysis Section 11.4 or directly into Risk Response Planning Section 11.5. Figure 11-7. Qualitative Risk Analysis: Inputs, Tools Techniques, and Outputs

11.3.1 Qualitative Risk Analysis: Inputs

.1 Organizational Process Assets Data about risks on past projects and the lessons learned knowledge base can be used in the Qualitative Risk Analysis process. .2 Project Scope Statement Projects of a common or recurrent type tend to have more well-understood risks. Projects using state-of-the-art or first-of-its-kind technology, and highly complex projects, tend to have more uncertainty. This can be evaluated by examining the project scope statement Section 5.2.3.1. .3 Risk Management Plan Key elements of the risk management plan for Qualitative Risk Analysis include roles and responsibilities for conducting risk management, budgets, and schedule activities for risk management, risk categories, definition of probability and impact, the probability and impact matrix, and revised stakeholders’ risk tolerances also enterprise environmental factors in Section 4.1.1.3. These inputs are usually tailored to the project during the Risk Management Planning process. If they are not available, they can be developed during the Qualitative Risk Analysis process. .4 Risk Register A key item from the risk register for Qualitative Risk Analysis is the list of identified risks Section 11.2.3.1. A Guide to the Project Management Body of Knowledge PMBOK ® Guide Third Edition 250 2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA 19073-3299 USA

11.3.2 Qualitative Risk Analysis: Tools and Techniques

.1 Risk Probability and Impact Assessment Risk probability assessment investigates the likelihood that each specific risk will occur. Risk impact assessment investigates the potential effect on a project objective such as time, cost, scope, or quality, including both negative effects for threats and positive effects for opportunities. Probability and impact are assessed for each identified risk. Risks can be assessed in interviews or meetings with participants selected for their familiarity with the risk categories on the agenda. Project team members and, perhaps, knowledgeable persons from outside the project, are included. Expert judgment is required, since there may be little information on risks from the organization’s database of past projects. An experienced facilitator may lead the discussion, since the participants may have little experience with risk assessment. The level of probability for each risk and its impact on each objective is evaluated during the interview or meeting. Explanatory detail, including assumptions justifying the levels assigned, is also recorded. Risk probabilities and impacts are rated according to the definitions given in the risk management plan Section 11.1.3.1. Sometimes, risks with obviously low ratings of probability and impact will not be rated, but will be included on a watchlist for future monitoring. .2 Probability and Impact Matrix 11 Risks can be prioritized for further quantitative analysis Section 11.4 and response Section 11.5, based on their risk rating. Ratings are assigned to risks based on their assessed probability and impact Section 11.3.2.2. Evaluation of each risk’s importance and, hence, priority for attention is typically conducted using a look-up table or a probability and impact matrix Figure 11-8. Such a matrix specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority. Descriptive terms or numeric values can be used, depending on organizational preference. The organization should determine which combinations of probability and impact result in a classification of high risk “red condition”, moderate risk “yellow condition”, and low risk “green condition”. In a black-and-white matrix, these conditions can be denoted by different shades of gray. Specifically, in Figure 11-8, the dark gray area with the largest numbers represents high risk; the medium gray area with the smallest numbers represents low risk; and the light gray area with in-between numbers represents moderate risk. Usually, these risk- rating rules are specified by the organization in advance of the project, and included in organizational process assets Section 4.1.1.4. Risk rating rules can be tailored in the Risk Management Planning process Section 11.1 to the specific project. A probability and impact matrix, such as the one shown in Figure 11-8, is often used. A Guide to the Project Management Body of Knowledge PMBOK ® Guide Third Edition 2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA 19073-3299 USA 251 Figure 11-8. Probability and Impact Matrix As illustrated in Figure 11-8, an organization can rate a risk separately for each objective e.g., cost, time, and scope. In addition, it can develop ways to determine one overall rating for each risk. Finally, opportunities and threats can be handled in the same matrix using definitions of the different levels of impact that are appropriate for each. The risk score helps guide risk responses. For example, risks that have a negative impact on objectives if they occur threats, and that are in the high-risk dark gray zone of the matrix, may require priority action and aggressive response strategies. Threats in the low-risk medium gray zone may not require proactive management action beyond being placed on a watchlist or adding a contingency reserve. Similarly for opportunities, those in the high-risk dark gray zone that can be obtained most easily and offer the greatest benefit should, therefore, be targeted first. Opportunities in the low-risk medium gray zone should be monitored. .3 Risk Data Quality Assessment A qualitative risk analysis requires accurate and unbiased data if it is to be credible. Analysis of the quality of risk data is a technique to evaluate the degree to which the data about risks is useful for risk management. It involves examining the degree to which the risk is understood and the accuracy, quality, reliability, and integrity of the data about the risk. The use of low-quality risk data may lead to a qualitative risk analysis of little use to the project. If data quality is unacceptable, it may be necessary to gather better data. Often, collection of information about risks is difficult, and consumes time and resources beyond that originally planned. A Guide to the Project Management Body of Knowledge PMBOK ® Guide Third Edition 252 2004 Project Management Institute, Four Campus Boulevard, Newtown Square, PA 19073-3299 USA .4 Risk Categorization Risks to the project can be categorized by sources of risk e.g., using the RBS, the area of the project affected e.g., using the WBS, or other useful category e.g., project phase to determine areas of the project most exposed to the effects of uncertainty. Grouping risks by common root causes can lead to developing effective risk responses. .5 Risk Urgency Assessment Risks requiring near-term responses may be considered more urgent to address. Indicators of priority can include time to effect a risk response, symptoms and warning signs, and the risk rating.

11.3.3 Qualitative Risk Analysis: Outputs

.1 Risk Register Updates The risk register is initiated during the Risk Identification process. The risk register is updated with information from Qualitative Risk Analysis and the updated risk